Wiki
Clone wikiieeg / WebServicesAuth
For the most part our web services are authenticated by a signature included in the HTTP headers. There is a small subset of services which the Portal's browser client uses. When the browser calls these services the Portal's session id is passed as the query parameter sessionId
instead.
In either case the server-side authentication is handled by the class edu.upenn.cis.db.mefview.services.SigServerRequestFilter
which is an implementation of javax.ws.rs.container.ContainerRequestFilter
and is registered in edu.upenn.cis.db.mefview.server.IEEGServices
our implementation of javax.ws.rs.core.Application
.
SigServerRequestFilter
is also responsible for looking up the User
object for the name and adding this to the ContainerRequestContext
so that it can be accessed in the service's implementation and used for authorization since the filter is only responsible for authentication.
There are two non-browser clients. One is edu.upenn.cis.db.mefview.services.TimeSeriesInterface
which is used by the MATLAB toolbox and the other is org.ieeg.cli.ieeg.WebServiceClient
which is used by the ieeg
command line program.
Both of these register a javax.ws.rs.client.ClientRequestFilter
called edu.upenn.cis.db.mefview.services.SigClientRequestFilter
. This filter is responsible for calculating the signature for the request and adding the appropriate HTTP headers. The clients use the class edu.upenn.cis.db.mefview.services.UserAndPassword
to pass the user's name and hashed password to the filter. There are setUserAndPassword
convienience methods in TimeSeriesInterface
and WebServiceClient
for setting these values. ClientRequestFilter
nulls out these values when it is done making the request.
The actual calculation of signatures, both on the client and server is done by the class edu.upenn.cis.db.mefview.services.SignatureGenerator
.
Not all services take signature style authc - see SigServerRequestFilter
.
Updated